Microsoft Issues Critical Fixes for Active Directory Policy and Windows Server 2025 Failures
Microsoft has issued out-of-band updates to address a widespread issue affecting local audit policy reporting on systems managed by Active Directory Group Policy. Admins noticed that even when logon auditing was functioning correctly, the local Group Policy Editor would display it as disabled, creating confusion and potential compliance concerns. This issue impacted multiple Windows versions, including Windows 11, Windows Server 2022, Server 2019, and Azure Stack HCI. The emergency updates released (KB5058919 through KB5058922) are cumulative and can be installed directly from the Microsoft Update Catalog. Microsoft emphasized that home users are unlikely to be affected, as the issue primarily impacts enterprise environments with centralized policy enforcement. These updates do not address a security vulnerability but are essential for restoring accurate visibility into audit configurations. The issue emerged after the April 2025 Patch Tuesday rollout, and organizations are strongly advised to apply the latest updates and follow Microsoft's guidance to ensure system integrity. In a separate but related problem, Microsoft also warned that some Windows Server 2025 domain controllers may become inaccessible after a reboot. This occurs because the system defaults to using the standard firewall profile instead of the domain-specific rules, blocking necessary traffic or exposing unintended services. This issue disrupts applications and services dependent on the domain controller, potentially rendering network parts unusable until manual intervention is performed. Microsoft recommends restarting the network adapter after every reboot or automating this action through a scheduled task until a permanent patch is available. While this issue does not affect older server versions, it highlights instability introduced with recent updates and the ongoing challenges of managing early-release enterprise systems. Combined with earlier reports of issues in Office 2016, Windows Hello, and Kerberos authentication, these problems suggest a broader pattern of post-update disruptions that IT teams must closely monitor. All issues are tied to the April 2025 update cycle, and administrators should remain vigilant by staying current with Microsoft's official patches and mitigation steps.
CVE-2025-3102: Critical Authentication Bypass in SureTriggers Plugin Actively Exploited
A vulnerability in the SureTriggers (now OttoKit) WordPress plugin is being exploited, allowing unauthenticated attackers to create administrator accounts on vulnerable sites. The flaw tracked as CVE-2025-3102 with a CVSS score of 8.1 impacts all plugin versions up to 1.0.78 and is only exploitable when the plugin is installed but not configured with an API key. The issue stems from a missing empty value check in the authenticate_user() function of the plugin’s REST API, which leads to a logic flaw where null values in both the header and stored key result in unauthorized access being granted. Attackers exploit this by sending specially crafted requests with empty authorization headers, triggering the bypass. The vulnerability was responsibly disclosed by researcher 'mikemyers' on March 13, and the developer, Brainstorm Force, released a patch (version 1.0.79) on April 3. Despite the quick response, exploitation in the wild began within four hours of public disclosure. WordPress security platforms, including Wordfence and Patchstack, have since issued alerts, with Wordfence deploying immediate protection for premium users and scheduled coverage for free users on May 1. More than 100,000 WordPress sites are running the SureTriggers/OttoKit plugin, though only a subset is vulnerable due to the need for the plugin to remain in its default, unconfigured state. Attackers have been observed using this flaw to automate the creation of administrator accounts with randomized credentials, which could then be used to upload backdoors, inject spam, or redirect site visitors to malicious content. Exploitation attempts have been tracked from IPv4 and IPv6 addresses, targeting specific REST API endpoints to trigger the vulnerability. Users are strongly advised to update to version 1.0.79 immediately and review site logs for suspicious activity, particularly unexpected admin accounts, plugin or theme changes, or unusual API calls. This incident highlights the need for proper configuration of plugins and rapid response to disclosure timelines, as delays in patching leave sites exposed to opportunistic threats. Admins should also consider implementing layered defenses, including endpoint firewalls and regular plugin audits, to mitigate the risk of similar vulnerabilities in the future.
BPFDoor Malware Resurfaces in Global Espionage Campaigns Linked to Earth Bluecrow
A recent wave of cyber espionage attacks has highlighted the re-emergence of BPFDoor, a stealthy Linux-based backdoor linked to the China-nexus APT group Earth Bluecrow (also known as Red Menshen). The malware has been observed targeting telecommunications, financial, and retail sectors across South Korea, Myanmar, Egypt, Malaysia, and Hong Kong. BPFDoor leverages the Berkeley Packet Filter (BPF) to monitor and respond to specific “magic sequence” packets at the kernel level, bypassing traditional firewalls and detection systems. Its design allows it to hide processes, avoid listening on open ports, and leave minimal trace in logs—making it ideal for persistent access and long-term surveillance. Trend Micro researchers report that the malware activates covertly via specially crafted TCP, UDP, or ICMP packets, enabling attackers to deploy reverse shells without tripping typical security alerts. BPFDoor’s reverse shell functionality allows Earth Bluecrow operators to remotely execute commands on compromised systems and easily move laterally across networks. A custom controller interface enables the attacker to configure parameters such as destination ports, passwords, and protocol, allowing tailored deployment across varying targets. This level of customization and stealth makes BPFDoor particularly dangerous in enterprise and government environments. The malware’s continued evolution underscores the need for organizations to monitor low-level network traffic for abnormal packet behavior, especially involving ICMP and TCP with irregular payloads. With its advanced obfuscation techniques and the backing of a well-resourced threat group, BPFDoor poses a serious threat to infrastructure, requiring enhanced detection, response capabilities, and proactive defense strategies to mitigate its reach.
